Preparing for Q-Day: securing the future of payments in the quantum era

Camilla Bullock, CEO of the Emerging Payments Association Asia (EPAA), discusses how the payments and fintech sector must start preparing now for Q-Day, the moment quantum computers will break current encryption standards.

Who is Camilla Bullock, and how does her professional background tie into the Emerging Payments Association Asia (EPAA) vision and mission?

As CEO and Co-Founder of the Emerging Payments Association Asia (EPAA), I’m focused on bringing together intelligence, experience, and collaboration across Asia Pacific (APAC) to shape the payment industry’s future. Our mission is to foster collaboration, innovation, and integrity so that information and value can move safely and efficiently for everyone.

I’m proud of what we’ve achieved since EPAA’s founding in 2018. We’ve become a trusted counterpart in international dialogue, contributing to Financial Stability Board task forces and the G20 agenda to enhance payments, drive innovation, and improve cross-border interoperability.

My career began in financial data services, where I spent more than ten years with what is now the London Stock Exchange Group. Working with data provided me with a strong foundation for understanding payments, because, in its simplest form, payments are really just the movement of data.

Over the years, I’ve come to realise that every conversation in payments ultimately becomes a conversation about data – whether it’s about accuracy, accessibility, or the ability to share it securely. Many of the industry’s biggest challenges trace back to that. And just as importantly, better data sharing remains one of the most powerful tools we have to strengthen trust, combat fraud, and build more resilient systems.

I’ve always been an entrepreneur at heart. In 2016, I founded Suite2Go, a boutique consultancy that helped fintechs grow and achieve commercial success in Australia. That experience led to the creation of EPAA, because I was driven by bringing people together to share insight, build trust, and challenge each other. I really believe this is how real progress happens.

Recently, the association launched a report on quantum-safe payments. As quantum computing is a technical topic, why should banks and fintechs be aware of it and put it on their business agenda?

The algorithms and encryption methods we rely on today will no longer hold once quantum capabilities become available. That means the secure channels, authentication keys, and encrypted data we depend on could all be compromised if we don’t transition in time.

So, while the topic might sound technical, what banks and fintechs need to be aware of is that it’s not the payments technology that’s at risk, it’s the cryptography that secures it.

Our report is about migration, coordination, and timing, and it’s critical that the industry is aware of it now. Payments depend on layers of trust built over decades, and those layers can’t be rebuilt overnight. If we wait until quantum capability is on the market, we’ll already be behind.

At EPAA, we see this as a business and risk conversation, not just a technology one. Awareness and coordination – both within organisations and across the industry – will determine whether payments remain trusted in the quantum era. The time to make those decisions is now.

Can you share some of the main findings of the report? What did you find more striking?

What really stood out from the report was how limited awareness still is, even among those already leaning in. Across our workshops in Sydney, Hong Kong, Singapore, and Malaysia, we surveyed almost 200 payments and financial services professionals. Only 20 % said their senior stakeholders were very familiar with the quantum threat, while nearly half said they were not very familiar or not familiar at all.

And remember, these are the people already engaged in the conversation – the ones who chose to attend. That means awareness and action are likely far lower across the wider industry. Fewer than one-third of organisations told us they have any kind of formal plan for migration to quantum-safe cryptography, and many cited unclear standards, vendor dependencies, or lack of leadership buy-in as key blockers.

That’s the most striking finding for me. Even among the early movers, we’re still at the awareness stage. If readiness looks like this within the leading edge, the gap across the ecosystem is far greater. That’s why the conversation needs to shift from understanding the risk to coordinating the response.

Can you explain a bit the concept of ‘harvest now, decrypt later’ – what could be the consequences of these attacks on banks and fintechs?

Harvest now, decrypt later means attackers are already stealing encrypted data today, such as transaction records, customer files, or internal messages, even if they cannot read it yet. They are storing it because they know that once quantum computers are strong enough, they will be able to unlock that data.

For banks and fintechs, that is a serious risk. It means the information you think is safely encrypted now could be exposed years down the track. That could include payment data, compliance archives, or customer details. The damage would not just be technical. It would affect trust, reputation, and possibly regulatory obligations.

This is not a future problem waiting for quantum computers to arrive. It is a present risk because the data being stolen today will still be valuable when quantum decryption becomes possible. That is why it is so important that the industry starts moving toward quantum safe security now, not later.

What are leading institutions doing to mitigate risk? How does a good quantum-ready strategy at the business level look?

There are examples of real action taking place, although it’s happening in pockets. Some of the leading institutions have started to take stock of where their cryptography sits and how it runs through their systems. They are building inventories to understand their exposure and mapping which data, systems, and partners rely on encryption that will need to change. From there, they are setting out transition strategies, assigning resources, and planning timelines so they can move quickly as new standards are finalised.

In our working group, we have been sharing what good practice looks like. It starts with awareness and ownership at the business level, not just in technology teams. A strong quantum-ready strategy connects strategy, risk, process, and technology. It means knowing which assets are most exposed, updating policies and procurement to include quantum-safe requirements, and making sure boards have clear visibility of progress.

The most forward-looking organisations are building cryptographic agility now, so they can switch algorithms as standards evolve rather than rebuild everything later. This is not about waiting for a date in the future. It is about starting the transition before the window for safe migration closes.

Where do vulnerabilities remain?

Vulnerabilities remain everywhere. We don’t think any organisation can claim to be fully ready yet, and across the industry we’re even further behind. Payments are a network industry, and no single player operates in isolation. Every transaction depends on multiple parties, systems, and intermediaries. Unfortunately, that means we are never safer than the weakest link.

The estimations reveal that we might have performing quantum computers ready over the next 5-10 years. What would be your recommendations for banks and fintech to get ready for that moment?

If we accept that performing quantum computers could be available within the next five to ten years, then the priority for banks and fintechs is to build awareness and the internal capacity to understand the threat. You can’t manage what you don’t understand.

The next step is to start mapping where encryption is used, how critical it is to your operations, and where the biggest dependencies sit. From there, lean into industry collaboration, because this isn’t a challenge any organisation can tackle in isolation. Payments are deeply interconnected, and we need coordination across the ecosystem, including guidance and alignment from policymakers and regulators.

This is about timing and coordination. The organisations that start preparing early and move together will be the ones that maintain trust when quantum capability arrives.

About the author

Camilla Bullock, Chief Executive Officer, Emerging Payments Association Asia  

Camilla’s role is to bring together the different participants in the value chain of payments for collaboration. The core of the EPAA activities is policy and advocacy to enhance the industry. Camilla has a long career in the financial technology industry, starting in London in early 2000, working for Reuters (today London Stock Exchange Group), and often talks about coming home when she started her work in the payments industry. 

 

About Emerging Payments Association Asia (EPAA) 

 

The Emerging Payments Association Asia (EPAA) is a leading membership organisation for innovative businesses in the Asia Pacific payments ecosystem, including payment schemes, banks, issuers, merchant acquirers, PSPs, technology providers, and wallets. With a strong membership base, policy connections, a thought leader community, and seats in international task forces, EPAA organises industry-shaping topic discussions, think tanks, and networking events.